A bug bounty writeup demonstrating unrestricted file upload leading to RCE by bypassing extension filters through MIME type manipulation in GET parameters, chaining with PUT requests, and exploiting alternative PHP extensions (phps, php3, php5) that bypass .php filtering to execute arbitrary code.
A researcher bypassed file upload restrictions by manipulating MIME type parameters in GET/PUT requests, ultimately achieving RCE through uploading a PHP backdoor with an alternative extension (php5/php7) after initial PNG/JPG restrictions were enforced.
A critical XSS vulnerability on Facebook's CDN was achieved by encoding malicious JavaScript into PNG IDAT chunks, uploading the image as an advertisement, then serving it with an .html extension to trigger HTML interpretation via MIME sniffing. The attacker leveraged document.domain to access the fb_dtsg CSRF token from www.facebook.com and bypass LinkShim protections.